• State Resolved
  • Locked Locked
  • Replies 3 replies
  • Answers 1 answer
  • Subscribers 31 subscribers
  • Views 2253 views
  • Users 0 members are here
Support feedback
Options
Options
Related

This thread has been locked.

If you have a related question, please click the "Ask a related question" button in the top right corner. The newly created question will be automatically linked to this question.

HERCULES SIL3 certification

Francisco Canteli
Prodigy 20 points

Hello,

I am thinking about using Hercules CPU with lock-step for a new safety development (SIL3) but I would need some clarifications. 

Regarding the inputs for getting a SIL3 certification redundancy in the input is needed so in the case of using two cpus the signal from one sensor is connected to both CPU who have similar SW and are controlling the signal. 

As far as I know with in this kind of Safety CPUs the safety functions are programmed only in one core and the second core is just checking that the first one is running the instructions properly.  So my doubts are:

1.- How do you manage one input which a SIL3 required with only one core? Is this possible?

2.- Is it enough for SIL2/SIL3 programming the safety functions only in one core instead two SW in two CPU as it has been done before? Am I missing something?

Maybe someone has already certify some SIL2/SIL3 product using this architecture and could help me out!

Thanks and best regards,

  • 0
    TI__Mastermind 23000 points
    Hello,
    There are multiple standards that use the "SIL 3" terminology. Our components use this in reference to IEC 61508. If you are using a different standard, then different requirements may apply.

    IEC 61508 does not mandate redundancy on any logic or signal. It mandates that a specific target for the SFF and PFH metrics are met for the target SIL. For the SFF calculation, you need to evaluate the ratio of safe to dangerous failures and apply diagnostics. A redundant sampling of a sensor on multiple inputs is one possible diagnostic. Other possible diagnostics could be time diverse sampling on simplex input, encoding the sensor data, plausibility checks on the sensor data, etc.

    The same is true for CPUs - unless you are assuming hardware fault tolerance under IEC 61508, there is no requirement for redundancy. The MCU is claimed to have HFT = 0; any redundancy on chip is provided for diagnostic capability rather than fail operational/hardware fault tolerant behavior.

    The architecture of the MCU is approved by TUEV SUED in concept study and yesterday we announced that the first member of the 65nm family to go through certification is now certified IEC 61508 SIL 3 compliant. We have had a number of customers successfully certify their end applications with these products to IEC 61508 and to other end equipment functional safety standards, but cannot publicly disclose specifics due to confidentiality agreements.

    regards,
    Karl
  • 0 in reply to KGreb
    Prodigy 20 points
    Yes, you are right, redundancy is needed or not depending on the diagnostic level.

    In case we are speaking of HFT = 0 we need to probe a SFF >99% (According to EN62061/ IEC61508) . I can understand that connecting the sensor to two different inputs plus some test done over the sensor signal could be enough to reach this level. But how about the CPU, could you explain me a little bit about what are both cores doing? My understanding is that one of them is running the application, checking the sensor signals and activating/deactivating the outputs but I'm not sure what is doing exactly the second core.


    Thanks and best regards,
  • 0 in reply to Francisco Canteli
    TI__Mastermind 23000 points
    Hello,
    As shown in the MCU safety manual, the two CPU cores are in a 1oo1D configuration. I'll call the functional channel core Core A and the diagnostic core Core B. The functional channel is made up of Core A. The diagnostic channel is made up of Core B and the core compare module (CCM-R4). All inputs to Core A are also fed to Core B (after a 2 cycle delay for temporal diversity). Core A outputs feed the rest of the MCU and are an input to the CCM-R4 (after a two cycle delay for temporal diversity). Core B outputs only drive the CCM-R4.
    In such fashion, all code which is running on Core A is also running on Core B in a redundant (but not hardware fault tolerant) fashion. The CCM compares the outputs of the two cores and indicates an error if there is a miscompare.

    Regards,
    Karl